b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\nInformation Technology Management Letter for the FY 2009 \n\n         Federal Law Enforcement Training Center \n\n                 Financial Statement Audit \n\n\n\n\n\nOIG-10-83                                        April 2010\n\x0c                                                            Office of Inspector General\n\n                                                            U.S. Department of Homeland Security\n                                                            Washington, DC 25028\n\n\n\n\n                                          April 30, 2010\n\n                                             Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established\nby the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe department.\n\nThis report presents the information technology (IT) management letter for the Federal Law\nEnforcement Training Center financial statement audit as of September 30, 2009. It contains\nobservations and recommendations related to information technology internal control that were\nsummarized within the Independent Auditors\xe2\x80\x99 Report, dated December 31, 2009 and represents\nthe separate limited distribution report mentioned in that report. The independent accounting\nfirm KPMG LLP (KPMG) performed the audit procedures at FLETC in support of the FLETC\nFY 2009 consolidated financial statements and prepared this IT management letter. KPMG is\nresponsible for the attached IT management letter dated December 31, 2009, and the conclusions\nexpressed in it. We do not express opinions on FLETC\xe2\x80\x99s consolidated financial statements or\ninternal control or conclusions on compliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our office,\nand have been discussed in draft with those responsible for implementation. We trust that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                     Frank Deffer\n                                     Assistant Inspector General\n                                     Information Technology Audits\n\x0c                                KPMG LLP\n                                2001 M Street, NW\n                                Washington, DC 20036\n\nDecember 31, 2009\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer\nFederal Law Enforcement Training Center\n\nChief Financial Officer\nFederal Law Enforcement Training Center\n\nLadies and Gentlemen:\nWe have audited the consolidated balance sheets of the Federal Law Enforcement Training Center\n(FLETC), a component of the U.S. Department of Homeland Security (DHS), as of September 30,\n2009 and 2008, and the related consolidated statements of net cost, changes in net position, and the\ncombined statement of budgetary resources (hereinafter referred to as \xe2\x80\x9cconsolidated financial\nstatements\xe2\x80\x9d) for the years then ended. In planning and performing our audit of the consolidated\nfinancial statements of FLETC, in accordance with auditing standards generally accepted in the\nUnited States of America, we considered FLETC\xe2\x80\x99s internal control over financial reporting (internal\ncontrol) as a basis for designing our auditing procedures for the purpose of expressing our opinion\non the consolidated financial statements but not for the purpose of expressing an opinion on the\neffectiveness of FLETC\xe2\x80\x99s internal control. Accordingly, we do not express an opinion on the\neffectiveness of FLETC\xe2\x80\x99s internal control.\nIn planning and performing our fiscal year 2009 audit, we considered FLETC\xe2\x80\x99s internal control over\nfinancial reporting by obtaining an understanding of the design effectiveness of FLETC\xe2\x80\x99s internal\ncontrol, determining whether internal controls had been placed in operation, assessing control risk,\nand performing tests of controls as a basis for designing our auditing procedures for the purpose of\nexpressing our opinion on the consolidated financial statements. To achieve this purpose, we did\nnot test all internal controls relevant to operating objectives as broadly defined by the Federal\nManagers\xe2\x80\x99 Financial Integrity Act of 1982. The objective of our audit was not to express an\nopinion on the effectiveness of FLETC\xe2\x80\x99s internal control over financial reporting. Accordingly, we\ndo not express an opinion on the effectiveness of FLETC\xe2\x80\x99s internal control over financial reporting.\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to prevent,\nor detect and correct misstatements on a timely basis. A significant deficiency is a deficiency, or a\ncombination of deficiencies, in internal control that is less severe than a material weakness, yet\nimportant enough to merit attention by those charged with governance. A material weakness is a\ndeficiency, or a combination of deficiencies, in internal control, such that there is a reasonable\npossibility that a material misstatement of the entity\xe2\x80\x99s financial statements will not be prevented, or\ndetected and corrected on a timely basis.\nOur audit of FLETC as of, and for the year ended, September 30, 2009 disclosed a material\nweakness in the areas of information technology (IT) access controls, configuration management,\nand security management. These matters are described in the IT General Control Findings by Audit\nArea section of this letter.\nThe material weakness described above is presented in our Independent Auditors\xe2\x80\x99 Report, dated\nDecember 31, 2009. This letter represents the separate limited distribution report mentioned in that\nreport.\n\n\n\n                                 KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                 member firm of KPMG International, a Swiss cooperative.\n\x0cThe control deficiencies described herein have been discussed with the appropriate members of\nmanagement, and communicated through Notice of Finding and Recommendations (NFRs). Our\naudit procedures are designed primarily to enable us to form an opinion on the consolidated\nfinancial statements, and therefore may not bring to light all weaknesses in policies or procedures\nthat may exist. We aim to use our knowledge of FLETC gained during our audit engagement to\nmake comments and suggestions that are intended to improve internal control over financial\nreporting or result in other operating efficiencies.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key FLETC financial systems and IT infrastructure within the scope of the FY 2009\nFLETC consolidated financial statement audit in Appendix A; a description of each internal control\nfinding in Appendix B; and the current status of the prior year NFRs in Appendix C. Our comments\nrelated to certain additional matters have been presented in a separate letter to the Office of\nInspector General and the FLETC Director dated December 31, 2009.\n\nThis communication is intended solely for the information and use of DHS and FLETC\nmanagement, DHS Office of Inspector General, the Office of Management and Budget (OMB),\nU.S. Government Accountability Office, and the U.S. Congress, and is not intended to be and\nshould not be used by anyone other than these specified parties.\n\nVery truly yours,\n\x0c                             Department of Homeland Security\n \n\n                        Federal Law Enforcement Training Center \n\n                         Information Technology Management Letter\n                                    September 30, 2009\n\n\n\n                   INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n                                    TABLE OF CONTENTS\n                                                                                          Page\n\nObjective, Scope, and Approach                                                             2\n\n\nSummary of Findings and Recommendations                                                    3\n\n\nIT General Control Findings by Audit Area                                                  4\n\n\n  Findings Contributing to a Material Weakness in IT                                       4\n\n\n       Access Controls and Configuration Management                                        4\n\n\n       Security Management, Including After-Hours Physical Security Testing                5\n\n\n\nApplication Control Findings                                                               9\n\n                                            APPENDICES\nAppendix                                      Subject                                     Page\n\n            Description of Key FLETC Financial Systems and IT Infrastructure within the\n   A        Scope of the FY 2009 FLETC Consolidated Financial Statement Audit              10\n            Engagement\n\n   B        FY 2009 Notices of IT Findings and Recommendations at FLETC                    12\n\n               - Notice of Findings and Recommendations \xe2\x80\x93 Definition of\n                                                                                           13\n                 Severity Ratings\n\n            Status of Prior Year Notices of Findings and Recommendations and Comparison   19\n   C\n            to Current Year Notices of Findings and Recommendations at FLETC\n\n\n   D        Management\xe2\x80\x99s Comments and OIG Response                                         22\n\n\n   E        Report Distribution                                                            23\n\x0c                              Department of Homeland Security\n \n\n                         Federal Law Enforcement Training Center \n\n                          Information Technology Management Letter\n                                     September 30, 2009\n\n\n                      OBJECTIVE, SCOPE, AND APPROACH\nWe were engaged to perform an audit of the Federal Law Enforcement Training Center\xe2\x80\x99s (FLETC)\nconsolidated balance sheets of September 30, 2009 and 2008. In connection with our audit of\nFLETC\xe2\x80\x99s consolidated financial statements we performed an evaluation of information technology\ngeneral controls (ITGC) to assist in planning and performing our audit. The Federal Information\nSystem Controls Audit Manual (FISCAM), issued by the Government Accountability Office\n(GAO), formed the basis of our ITGC evaluation procedures. The scope of the ITGC evaluation is\ndescribed further in Appendix A.\n\nThe FISCAM was designed to inform financial auditors about IT controls and related audit\nconcerns to assist them in planning their audit work and to integrate the work of auditors with other\naspects of the consolidated financial statement audit. The FISCAM also provides guidance to IT\nauditors when considering the scope and extent of review that generally should be performed when\nevaluating general controls and the IT environment of a federal agency. The FISCAM defines the\nfollowing five control functions to be essential for the effective operation of the general IT controls\nenvironment.\n\n\xef\xbf\xbd\t Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of\n   activity for managing risk, developing security policies, assigning responsibilities, and\n   monitoring the adequacy of computer-related security controls.\n\xef\xbf\xbd\t Access Control (AC) \xe2\x80\x93 Controls that limit and or detect access to computer resources (data,\n   programs, equipment, and facilities) and protect against unauthorized modification, loss, and\n   disclosure.\n\xef\xbf\xbd\t Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent the implementation of\n   unauthorized changes to information system resources (software programs and hardware\n   configurations) and that provide reasonable assurance that systems are configured and operating\n   securely and as intended.\n\xef\xbf\xbd\t Segregation of Duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to manage who can control key aspects of computer-related operations.\n\xef\xbf\xbd\t Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our general IT controls audit, we also performed technical security testing for key\nnetwork and system devices. The technical security testing was performed both over the Internet\nand from within selected FLETC facilities, and focused on test, development, and production\ndevices that directly support key general support systems.\n\n\xef\xbf\xbd\t Application Controls (APC) - Application controls are the structure, policies, and procedures\n   that apply to separate, individual application systems, such as accounts payable, inventory, or\n   payroll.\n\nWe also performed application control tests on a limited number of FLETC\xe2\x80\x99s financial systems and\napplications. The application control testing was performed to assess the controls that support the\nfinancial systems\xe2\x80\x99 internal controls over the input, processing, and output of financial data and\ntransactions.\n\n\n                                                 2\n  Information Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                 Department of Homeland Security\n                         Federal Law Enforcement Training Center\n                          Information Technology Management Letter\n                                     September 30, 2009\n\n\n\n         SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring FY 2009, FLETC took corrective action to address many of its prior year IT control\nweaknesses. The upgrade of the Financial Accounting and Budgeting System (FABS, also called\nMomentum) and the installation of new hardware near the end of FY 2008 improved the overall\nsecurity structure at FLETC. However, during FY 2009, we continued to identify IT general control\nweaknesses that impacted FLETC\xe2\x80\x99s financial data. The most significant control deficiencies from a\nconsolidated financial statement audit perspective related to controls over access and configuration\nmanagement and the weaknesses over physical security and security awareness. Collectively, these\nIT control deficiencies limited FLETC\xe2\x80\x99s ability to ensure that critical financial and operational data\nwere maintained in such a manner to ensure confidentiality, integrity, and availability. In addition,\nthese control deficiencies negatively impacted FLETC\xe2\x80\x99s internal controls over financial reporting\nand its operation. We consider these deficiencies to collectively represent a material weakness\nunder standards established by the American Institute of Certified Public Accountants (AICPA).\nBased upon the results of our test work, we noted that FLETC also did not fully comply with the\nrequirements of the Federal Financial Management Improvement Act (FFMIA).\nOf the 10 findings identified during our FY 2009 testing, 6 were new IT findings. These findings\nrepresent control deficiencies in three of the five FISCAM key control areas. The control areas are\nspecifically, 1) lack of management and review of system audit logs, 2) ineffective account\nmanagement issues involving user profiles, new user access, active terminated user accounts,\ngeneric user accounts, and lack of account recertifications, 3) inadequate configuration\nmanagement, and 4) inadequately trained personnel on basic security management policies and\nprocedures. These control deficiencies may increase the risk that the confidentiality, integrity, and\navailability of system controls and FLETC financial data could be exploited thereby compromising\nthe integrity of financial data used by management as reported in FLETC\xe2\x80\x99s consolidated financial\nstatements.\nWhile the recommendations made by KPMG should be considered by FLETC, it is the ultimate\nresponsibility of FLETC management to determine the most appropriate method(s) for addressing\nthe weaknesses identified based upon their system capabilities and available resources.\n\n\n\n\n                                                3\n  Information Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                Department of Homeland Security\n                        Federal Law Enforcement Training Center\n                         Information Technology Management Letter\n                                    September 30, 2009\n\n\n\n          IT GENERAL CONTROL FINDINGS BY AUDIT AREA\nFindings Contributing to a Material Weakness in IT\nConditions: During FY 2009, we noted the following IT general control and financial system\nfunctionality deficiencies that in the aggregate are considered a material weakness.\n1. Access Controls and Configuration Management:\n   \xef\xbf\xbd\t Access and configuration management weaknesses on the Glynco Administrative Network\n      (GAN) and the servers that support Momentum and the Student Information System (SIS).\n      These weaknesses included default configuration settings, role and group policies, and weak\n      password management. Note: Detailed vulnerability assessment results were previously\n      provided to FLETC and included the risk level.\n   \xef\xbf\xbd\t System Engineering Life Cycle (SELC) for Momentum is not finalized.\n   \xef\xbf\xbd\t Momentum system software event audit logs are not being captured and reviewed.\n   \xef\xbf\xbd\t Password configuration settings for Linux, which support Momentum system software, \n\n      allow 6 failed logon attempts before the account is locked. \n\n   \xef\xbf\xbd\t Momentum and the GAN security violation audit logs lack management review and signoff.\n   \xef\xbf\xbd\t Momentum user profile creation or modification is not logged or tracked.\n   \xef\xbf\xbd\t Weak logical access controls over the GAN were noted as follows:\n           \xef\xbf\xbd\t The GAN prohibits password reuse for 6 generations, which does not meet the DHS\n              4300A requirement of 8 password generations.\n           \xef\xbf\xbd\t The GAN resets the account failed logon counter after 60 minutes, which does not\n              meet the DHS 4300A requirement of 24 hours.\n           \xef\xbf\xbd\t Generic user IDs, i.e. \xe2\x80\x98vcusersqp\xe2\x80\x99, \xe2\x80\x98vcusersqlar\xe2\x80\x99, \xe2\x80\x98PACSUser\xe2\x80\x99, \xe2\x80\x98BESAdmin\xe2\x80\x99, and\n              other generic account descriptors were identified. In addition, several users have\n              access to these accounts.\n           \xef\xbf\xbd\t New user access authorization forms are not maintained.\n           \xef\xbf\xbd\t Fourteen instances of active user accounts for terminated employees were identified.\n           \xef\xbf\xbd\t A periodic review over GAN users is not performed.\n   \xef\xbf\xbd\t Weak logical access controls over the SIS were noted as follows:\n           \xef\xbf\xbd\t A history of 2 passwords is stored; this does not meet the DHS 4300A requirement\n              of 8 remembered passwords.\n           \xef\xbf\xbd\t SIS is configured to have a minimum password age of 5 days; this does not meet\n              DHS 4300A requirements of 7 days.\n           \xef\xbf\xbd\t SIS is not configured to reset the account failed logon counter, which does not meet\n              the DHS 4300A requirement of a reset every 24 hours.\n           \xef\xbf\xbd\t User lockout occurs after 6 invalid attempts (only 3 attempts permitted per DHS\n              4300A).\n           \xef\xbf\xbd\t System administrators share the \xe2\x80\x98root\xe2\x80\x99 username and password to perform\n              administrative responsibilities.\n\n\n                                              4\n  Information Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                 Department of Homeland Security\n                         Federal Law Enforcement Training Center\n                          Information Technology Management Letter\n                                     September 30, 2009\n\n\n           \xef\xbf\xbd\t A sample of audit logs that track changes to system data could not be provided.\n           \xef\xbf\xbd\t Invalid user access attempts were not tracked and monitored until March 2009.\n              Since this weakness was corrected during the fiscal year, no recommendation will be\n              stated.\n           \xef\xbf\xbd\t User profile creation is not tracked and a listing of profile creation dates could not\n              be provided.\n           \xef\xbf\xbd\t Evidence of periodic review of user accounts could not be provided.\n\n2. \t Security Management including After-Hours Physical Security Testing:\n\nWe performed after-hours physical security testing to identify risks related to non-technical aspects\nof IT security. These non-technical IT security aspects included physical access to media and\nequipment that housed financial data and information residing within a FLETC employee\xe2\x80\x99s or\ncontractor\xe2\x80\x99s work area, which could be used by others to gain unauthorized access to systems\nhousing financial information. The testing was performed at various FLETC locations that process\nand/or maintain financial data. The specific results are listed as shown in the following table:\n\n                                         FLETC Locations Tested\n                    OIT Office,      Finance        BFD,        Telecommunications          Total\n                     Building         Office,   Procurement, Facility, Building 94        Exceptions\n                       681          Building 66   and SIS,                                 by Type\nExceptions Noted                                 Building 93\nUser Name and            1               9           21                53                     84\nPasswords\nFor Official Use         2                1              0                  1                  4\nOnly (FOUO)\nKeys/Badges              0                0              0                  7                  7\nPersonally               0               80              2                  1                 83\nIdentifiable\nInformation (PII)\nServer Names/IP          0                0              0                  0                  0\nAddresses\nLaptops                  3                0              2                  1                  6\nExternal Drives          0                0              0                  2                  2\nCredit Cards             0               12              0                  0                 12\nClassified               0                0              0                  0                 0\nDocuments\nOther - Describe    2 users still     1 user still       0         1 user still logged         4\n                    logged into      logged into                   into DHS systems\n                       DHS          DHS systems                   without a screensaver\n                      systems         without a\n                     without a       screensaver\n                    screensaver\nTotal Exceptions         8               103             25                66                 202\nby Location\n\n\n\n\n                                                     5\n  Information Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                 Department of Homeland Security\n                         Federal Law Enforcement Training Center\n                          Information Technology Management Letter\n                                     September 30, 2009\n\n\nRecommendations: We recommend that the FLETC Chief Information Officer (CIO) and Chief\nFinancial Officer (CFO), in coordination with the DHS Office of Chief Financial Officer and the\nDHS Office of the Chief Information Officer, make the following improvements to FLETC\xe2\x80\x99s\nfinancial management systems and associated information technology security program:\nAccess Controls and Configuration Management:\n    1.\t Redistribute procedures and train employees on continuously monitoring and mitigating\n        vulnerabilities. In addition, we recommend that FLETC periodically monitor the existence\n        of unnecessary services and protocols running on their servers and network devices, in\n        addition to deploying patches.\n    2.\t Perform vulnerability assessments and penetration tests on all office IT systems within\n        FLETC, from a centrally managed location with a standardized reporting mechanism that\n        allows for trending on a regularly scheduled basis in accordance with National Institute of\n        Standards and Technology (NIST) guidance.\n\n    3.\t Develop a more thorough approach to track and mitigate configuration management \n\n        vulnerabilities identified during monthly scans. FLETC should monitor the vulnerability \n\n        reports for necessary or required configuration changes to their environment. \n\n\n    4.\t Develop a process to verify that systems identified with \xe2\x80\x9cHIGH/MEDIUM Risk\xe2\x80\x9d \n\n        configuration vulnerabilities do not appear on subsequent monthly vulnerability scan \n\n        reports, unless they are verified and documented as a false-positive. All risks identified \n\n        during the monthly scans should be mitigated immediately and not be allowed to remain \n\n        dormant. \n\n\n    5.\t Enable audit logging over all Momentum system software and ensure that logs are \n\n        maintained and proactively reviewed by FLETC IT management. \n\n\n   6.\t \t Enforce existing FLETC policy and procedures over maintenance and review of \n\n         Momentum security violation logs. \n\n\n   7.\t \t Establish and implement procedures to document and review logs of auditable events on the\n         GAN.\n\n   8.\t \t Activate logs for monitoring Momentum user profile creation and modifications.\n\n   9.\t \t Implement the corrective actions identified during the audit vulnerability assessment as \n\n         identified in the issued NFR of the audit. \n\n\n   10. Perform periodic scans of the FLETC network environment, including the financial \n\n       processing environment, for the identification of vulnerabilities, in accordance with NIST \n\n       SP 800-42, and implement corrective actions to mitigate the risks associated with any \n\n       vulnerabilities identified during periodic scans. \n\n\n   11. Establish a process to ensure that GAN and Linux (Momentum system software) are \n\n       configured to meet minimum DHS password configuration requirements. \n\n\n\n                                                6\n  Information Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                  Department of Homeland Security\n                          Federal Law Enforcement Training Center\n                           Information Technology Management Letter\n                                      September 30, 2009\n\n\n\n    12. Remove all GAN and SIS generic/shared accounts and conduct periodic reviews of user\n        access lists to ensure compliance.\n\n    13. Establish and enforce procedures for the completion and maintenance of user access forms\n        for GAN and SIS.\n\n    14. Enforce procedures for the removal of transferred, and, or terminated users within the GAN\n        upon their separation from FLETC.\n\n    15. Establish and implement policies and procedures for recertification of GAN user privileges.\n        This process should include a method to document user recertification and a process to\n        maintain evidence of reviews.\n\n    16. Establish a process to ensure the SIS is configured to meet minimum DHS password and\n        system configuration requirements.\n\n    17. Retain audit trail records in accordance with DHS policies in order to support potential\n        incidents within the system, and for review of user privileges.\n\n    18. FLETC has effectively implemented the DHS SELC as of April 2009. Therefore, no\n        recommendation will be stated.\n\nSecurity Management:\n    1.\t Ensure that users are trained and aware of safeguarding login credentials, locking network\n        sessions to DHS systems, and locking any sensitive information, media containing sensitive\n        information, or data not suitable for public dissemination in secure locations when not in\n        use.\n    2.\t Effectively limit access to DHS buildings, rooms, work areas, spaces, and structures\n        housing IT systems, equipment, and data to authorized personnel.\n\nCause and Effect\n\nFLETC is not continuously monitoring their vulnerability assessment scans for configuration\nmanagement vulnerabilities. As a result, default system and application configuration installations\non the FLETC\xe2\x80\x99s Glynco Administrative Network (GAN), Financial Accounting and Budgeting\nSystem (FABS), and Student Information System (SIS) increase the possibility of compromise the\navailability, integrity, and confidentiality of financial data on the network. This could jeopardize the\ninformation system controls environment to security breaches, unauthorized access, service\ninterruptions, and denial of service attacks.\n\nFLETC has been relying on the full implementation of the Security Information Management (SIM)\nsystem, which will monitor Momentum system software and the GAN audit logs. However, this has\nnot occurred to date due to lack of staffing. In addition, due to the lack of management oversight,\nthe Momentum approval and security logs review procedures are not being adhered to. The lack of\n\n\n                                                 7\n  Information Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                 Department of Homeland Security\n                         Federal Law Enforcement Training Center\n                          Information Technology Management Letter\n                                     September 30, 2009\n\n\naudit logs may cause security related incidents to go unnoticed and uninvestigated, thus allowing\npotential unauthorized system software changes to deploy into the production environment.\n\nFLETC management has not enabled the Momentum audit logging system setting, which would\ncapture user profile creation and modification. Without logging of new users and profile changes,\nFLETC would be unaware of any unauthorized additions or changes to profiles within Momentum.\nThis could also lead to a violation of both separation of duties and least privilege principles in\npractice.\n\nDue to the lack of management oversight, GAN logical access controls and Momentum system\nsoftware access controls have not been strengthened to meet DHS IT security compliance. In\naddition, FLETC management considers the SIS to have a low impact on operations; therefore,\nsufficient controls have not been implemented. Having weak system access controls increases the\nrisk of unauthorized individuals gaining access to and improperly modifying or destroying data.\nAlso, having generic/shared user accounts on a production system reduces the audit and\naccountability of users within the system. Without documenting and approving access forms to\napplications, management is unaware of the system access an individual may possess. This could\nlead to a violation of both separation of duties and least privilege principles. Additionally,\nunauthorized users may obtain access to the systems. Without access review and recertification\nprocedures being formally documented, reviewers do not have an IT standard for effectively\nconducting the recertification of GAN accounts. This could lead to the risk of potentially allowing\nusers to have account privileges that are needed no longer, or, initially should not have been\ngranted.\n\nFLETC management has not ensured that personnel are adequately trained and aware of the basic\nIT security requirements and policies described by DHS and FLETC to protect their login\ncredentials, lock network sessions to DHS systems, secure information system hardware, and\nsecurely store/limit access to FOUO and PII data. The failure to control access to sensitive IT\nresources and FLETC documentation potentially could result in the theft or destruction of FLETC\nassets, unauthorized access to sensitive information, and disruptions in processing of FLETC\nfinancial systems. Additionally, FLETC personnel who are not trained adequately to protect their\nlogin credentials present an increased risk of unauthorized access to sensitive information from\nexternal and internal threats.\n\n\nCriteria: The Federal Information Security Management Act (FISMA) passed as part of the\nElectronic Government Act of 2002, mandates that Federal entities maintain IT security programs in\naccordance with OMB and NIST guidance. OMB Circular No. A-130, Management of Federal\nInformation Resources, and various NIST guidelines describe specific essential criteria for\nmaintaining effective general IT controls. FFMIA sets forth legislation prescribing policies and\nstandards for executive departments and agencies to follow in developing, operating, evaluating,\nand reporting on financial management systems. The purpose of FFMIA is: (1) to provide for\nconsistency of accounting by an agency from one fiscal year to the next, and uniform accounting\nstandards throughout the Federal Government; (2) require Federal financial management systems to\nsupport full disclosure of Federal financial data, including the full costs of Federal programs and\nactivities; (3) increase the accountability and credibility of federal financial management; (4)\nimprove performance, productivity and efficiency of Federal Government financial management;\n\n                                               8\n  Information Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                 Department of Homeland Security\n                         Federal Law Enforcement Training Center\n                          Information Technology Management Letter\n                                     September 30, 2009\n\n\nand, (5) establish financial management systems to support controlling the cost of Federal\nGovernment. We also assessed FLETC\xe2\x80\x99s compliance with DHS Sensitive System Policy Directive\n4300A.\n\n\n\n                      APPLICATION CONTROL FINDINGS\n\nWe did not identify any findings in the area of application controls during the fiscal year 2009\nFLETC consolidated financial statement audit engagement.\n\n            MANAGEMENT COMMENTS AND OIG RESPONSE\nWe obtained written comments on a draft of this report from the FLETC CIO. Generally, the\nFLETC agreed with all of our findings and recommendations. The FLETC has developed a\nremediation plan to address these findings and recommendations. We have included a copy of the\ncomments in Appendix D.\n\nOIG Response\nWe agree with the steps that FLETC management is taking to satisfy these recommendations.\n\n\n\n\n                                                9\n  Information Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                                                       Appendix A\n                        Department of Homeland Security\n                   Federal Law Enforcement Training Center\n                    Information Technology Management Letter\n                               September 30, 2009\n\n\n\n\n                                Appendix A \n\n\n     Description of Key FLETC Financial Systems and IT \n\n    Infrastructure within the Scope of the FY 2009 FLETC \n\n            Consolidated Financial Statement Audit \n\n\n\n\n\n                                     10\nInformation Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                                                                   Appendix A\n                             Department of Homeland Security\n                        Federal Law Enforcement Training Center\n                         Information Technology Management Letter\n                                    September 30, 2009\n\n\n\nBelow is a description of significant FLETC financial management systems and supporting IT\ninfrastructure included in the scope of the FY 2009 FLETC Consolidated Financial Statement Audit.\n\nLocation of Audit: FLETC Headquarters in Glynco, Georgia and the FLETC field office in\nCheltenham, Maryland.\n\nKey Systems Subject to Audit:\n\n\n   \xef\xbf\xbd\t Financial Accounting and Budgeting System (FABS) also called Momentum: FLETC\xe2\x80\x99s\n      core financial management system that processes financial documents generated by various\n      FLETC divisions in support of procurement, payroll, budget and accounting activities. All\n      financial, procurement and budgeting transactions where FLETC is involved are processed\n      by Momentum.\n\n\n   \xef\xbf\xbd\t Student Information System (SIS): The system captures and facilitates the FLETC student\n      registration process and billing. SIS stores, processes, and transmits Sensitive But\n      Unclassified (SBU) information, which includes individual student personal information.\n      Additional data types include specific course information (e.g., course numbers, dates,\n      associated agencies, locations, and billing costs).\n\n\n\n\n                                             11\n  Information Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                                                        Appendix B\n                         Department of Homeland Security \n\n                    Federal Law Enforcement Training Center \n\n                     Information Technology Management Letter\n                                September 30, 2009\n\n\n\n\n                                     Appendix B\n\n\nFY 2009 Notices of IT Findings and Recommendations at FLETC\n\n\n\n\n                                      12\n Information Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                                                                       Appendix B\n                              Department of Homeland Security\n                         Federal Law Enforcement Training Center\n                          Information Technology Management Letter\n                                     September 30, 2009\n\n\n\nNotices of Findings and Recommendations \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on\nthe FLETC Consolidated Financial Statement Audit.\n\n      1 \xe2\x80\x93 Not substantial\n \n\n      2 \xe2\x80\x93 Less significant \n\n      3 \xe2\x80\x93 More significant \n\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of\nseverity for consolidated reporting purposes.\n\nThese rating are provided to assist the FLETC in the development of corrective action plans for\nremediation of the deficiency.\n\n\n\n\n                                               13\n  Information Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                                                                                                                         Appendix B\n                                                      Department of Homeland Security\n \n\n                                                 Federal Law Enforcement Training Center \n\n                                                  Information Technology Management Letter\n                                                             September 30, 2009\n\n                                         Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n                                                                                                                        New     Repeat     Severity\nNFR #                           Condition                                         Recommendation\n                                                                                                                        Issue    Issue      Rating\n           We determined that SOP 4250, which has been in           We recommend that FLETC enable audit logging                  X           3\n           effect for the entire fiscal year, was last updated on   over all Momentum system software and ensure\n           May 12, 2009 and that FLETC has developed a              that logs are maintained and proactively reviewed\n           manual control for the installation of system software   by management.\n           for Momentum. Specifically, logs of file changes to\n           the Momentum UNIX servers are reviewed monthly.\n           Therefore, this condition of the prior weakness has\n           been partially corrected.\nFLETC\xc2\xad\n           We also determined that FLETC is still in the process\nIT-09-03\n           of    implementing      the   Security    Information\n           Management System (SIM) to compile audited events\n           of Oracle and other system software for review by\n           FLETC personnel.         FLETC management has\n           confirmed that logs of Oracle are not being reviewed\n           to identify potential anomalies or incidents. Due to\n           the lack of audit logging procedures around system\n           software for Momentum, this NFR will be reissued.\n\n           We determined that FLETC has implemented DHS\xe2\x80\x99s           As FLETC has effectively put into place                       X           3\n           System Engineering Lifecycle (formally called SDLC)      procedures over the implementation of DHS\xe2\x80\x99\n           into their business processes, and that it is            SELC effective April 2009, no recommendation\n           promulgated to personnel involved in the change          will be offered.\nFLETC\xc2\xad     management process. However, we determined that\nIT-09-04   implementation did not occur until April 2009. As a\n           result, we will be reissuing this NFR with no\n           recommendation since the condition has existed for a\n           majority of the fiscal year.\n\n\n\n\n                                                                         14\n                         Information Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                                                                                                                        Appendix B\n                                                       Department of Homeland Security\n \n\n                                                  Federal Law Enforcement Training Center \n\n                                                   Information Technology Management Letter\n                                                              September 30, 2009\n\n                                                                                                                       New     Repeat     Severity\nNFR #                           Condition                                          Recommendation\n                                                                                                                       Issue    Issue      Rating\n           During the internal vulnerability assessment efforts of   Implement the corrective actions for        the             X           3\n           FLETC\xe2\x80\x99s Glynco Administrative Network (GAN),              recommendations listed within the NFR.\n           Financial Accounting and Budgeting System (FABS),\n           and Student Information System (SIS) systems we\n           identified several High/ Medium Risk vulnerabilities,\n           related to Configuration Management and Password\n           Management.       We     confirmed      that  security\n           configuration management weaknesses (i.e., default\nFLETC\xc2\xad     configuration settings, role and group policies,\nIT-09-26   password policy, and user account management)\n           continue to exist on hosts supporting FLETC. The\n           conditions are exploitable as an insider without\n           specific knowledge of the operation of the system or\n           the applications hosted on that system.          These\n           conditions can be found in the table within the actual\n           NFR.\n\n\n           We determined that in January 2009, FLETC                 We recommend that FLETC enforce their policies              X           3\n           implemented a Standard Operating Procedure (SOP)          and procedures for the maintenance and periodic\n           #60 titled, \xe2\x80\x9cMonthly Review of Security and Approval      review of audit logs for Momentum.\n           logs\xe2\x80\x9d, which requires management review and sign\n           off.    However, FLETC was unable to provide\nFLETC\xc2\xad\n           documentation supporting the management review of\nIT-09-31\n           approval logs for April, May, June, and July. In\n           addition, FLETC was unable to provide evidence of\n           management review of the security violation logs for\n           June and July 2009.\n\n\n\n\n                                                                         15\n                         Information Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                                                                                                                      Appendix B\n                                                     Department of Homeland Security\n \n\n                                                Federal Law Enforcement Training Center \n\n                                                 Information Technology Management Letter\n                                                            September 30, 2009\n\n                                                                                                                     New     Repeat     Severity\nNFR #                          Condition                                        Recommendation\n                                                                                                                     Issue    Issue      Rating\n           We determined that logs of auditable events in the      We recommend that FLETC establish and              X                    3\n           LAN are not being reviewed to identify potential        implement procedures to document and review\n           anomalies or incidents. FLETC is in the process of      logs of auditable events in the LAN.\n           implementing SIM with the capabilities to manage\nFLETC\xc2\xad\n           logged auditable events for review by personnel. We\nIT-09-33\n           determined that while the SIM is being implemented,\n           FLETC does not have an alternative procedure for the\n           review of these logs.\n\n           We determined that access control weaknesses existed    We recommend that FLETC activate the logs for      X                    3\n           over the Momentum access authorizations for user        tracking the addition of new users and profile\nFLETC\xc2\xad     profiles created or modified during the fiscal year.    changes to Momentum.\nIT-09-34   Specifically, we learned that profile creation and\n           modification is not tracked and a listing of events\n           could not be provided.\n           We noted several weaknesses with logical access         We recommend that FLETC Management:                X                    3\n           controls related to GAN:\n                                                                     \xef\xbf\xbd Establish a process to ensure the GAN is\n             \xef\xbf\xbd The GAN is configured to prohibit password              configured to meet minimum DHS password\n               reuse for 6 generations, which does not meet the        configuration requirements.\n               DHS standard of 8 password generations.\n                                                                     \xef\xbf\xbd Remove all generic/shared accounts and\n             \xef\xbf\xbd The GAN is configured to reset the account failed       conduct period reviews of the user access\nFLETC\xc2\xad         logon counter after 60 minutes, which does not          lists to ensure compliance.\nIT-09-35       meet the DHS standard of 24 hours.\n                                                                     \xef\xbf\xbd Establish and enforce procedures for the\n             \xef\xbf\xbd Several user IDs were identified as having              completion and maintenance of user access\n               excessive access.                                       forms for the GAN.\n\n             \xef\xbf\xbd Supporting     documentation for new user             \xef\xbf\xbd Enforce procedures for the removal of\n               authorizations to the GAN could only be provided        transferred/terminated users within the GAN\n               for 10 users out of 25 users sampled.                   upon their separation from FLETC.\n\n\n\n                                                                       16\n                        Information Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                                                                                                                          Appendix B\n                                                      Department of Homeland Security\n \n\n                                                 Federal Law Enforcement Training Center \n\n                                                  Information Technology Management Letter\n                                                             September 30, 2009\n\n                                                                                                                         New     Repeat     Severity\nNFR #                           Condition                                            Recommendation\n                                                                                                                         Issue    Issue      Rating\n             \xef\xbf\xbd Fourteen separated employees still had active user      \xef\xbf\xbd Establish   and implement policies and\n               accounts to the GAN.                                      procedures for recertification of GAN user\n                                                                         privileges.\n             \xef\xbf\xbd Formalized procedures are not in place for\n                periodic reviews over GAN users.\n           During our after hours physical testing, we identified   We recommend that FLETC management                    X                    3\n           84 password discrepancies, 4 For Official Use Only       implement processes to:\n           Violations, 7 unsecured ID badges/keys, 83 Personally      \xef\xbf\xbd Ensure that users are trained and aware of\n           Identifiable Information violations, 6 unsecured              safeguarding login credentials, locking\n           laptops, 2 unsecured external drives, 12 unsecured            network sessions to DHS systems, and\n           credit cards, and 4 users logged into a system without        locking any sensitive information, media\nFLETC\xc2\xad     an active screen saver set.                                   containing sensitive information, or data not\nIT-09-36                                                                 suitable for public dissemination in secure\n                                                                         locations when not in use.\n                                                                      \xef\xbf\xbd Effectively limit access to DHS buildings,\n                                                                         rooms, work areas, spaces, and structures\n                                                                         housing IT systems, equipment, and data to\n                                                                         authorized personnel.\n\n           We noted several weaknesses relating to logical access   We recommend that FLETC management:                   X                    3\n           controls for the SIS. Specifically, we determined the      \xef\xbf\xbd Establish a process to ensure the SIS is\n           following:                                                   configured to meet minimum DHS password\n             \xef\xbf\xbd SIS is configured to have a password history of 2        configuration requirements.\n                passwords stored that does not meet the DHS           \xef\xbf\xbd Adjust system configuration settings to lock\n                4300A requirement of 8 remembered passwords.            out users after 3 invalid logon attempts as\nFLETC\xc2\xad\n             \xef\xbf\xbd SIS is configured to have a minimum password             designated by DHS policies.\nIT-09-37\n                age of 5 days that does not meet DHS 4300A            \xef\xbf\xbd Remove all generic/shared accounts and\n                requirements of 7 days.                                 conduct periodic reviews of the user access\n             \xef\xbf\xbd SIS is not configured to reset the account failed        lists to ensure compliance.\n                logon counter, which does not meet the DHS            \xef\xbf\xbd Retain audit trail records in accordance with\n                4300A requirement of a reset every 24 hours.            DHS policies in order to support potential\n             \xef\xbf\xbd Users were not locked out until after 6 invalid          incidents within the system, and for review of\n\n\n                                                                         17\n                         Information Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                                                                                                                            Appendix B\n                                                         Department of Homeland Security\n \n\n                                                    Federal Law Enforcement Training Center \n\n                                                     Information Technology Management Letter\n                                                                September 30, 2009\n\n                                                                                                                           New     Repeat     Severity\nNFR #                            Condition                                           Recommendation\n                                                                                                                           Issue    Issue      Rating\n                attempts to access the application.                         user privileges.\n              \xef\xbf\xbd SIS system administrators share the \xe2\x80\x98root\xe2\x80\x99                \xef\xbf\xbd Activate tracking for the addition of new\n                username and password to perform administrative             users to SIS.\n                responsibilities.                                         \xef\xbf\xbd Since this weakness was corrected during the\n              \xef\xbf\xbd A sample of audit logs that track changes to                fiscal year, no recommendation will be\n                system data could not be provided.                          stated.\n              \xef\xbf\xbd Invalid user access attempts were not tracked and\n                monitored until March 2009. .\n              \xef\xbf\xbd User profile creation is not tracked and a listing of\n                profile creation dates could not be provided.\n              \xef\xbf\xbd Evidence of periodic review of user accounts\n                could not be provided.\n           We determined that weak access controls exist over           We recommend that management establish a            X                    3\n           Momentum\xe2\x80\x99s system software. Specifically, we noted           process to ensure FLETC systems are configured\n           that the password configuration settings for Linux,          to meet minimum DHS logical access\nFLETC\xc2\xad                                                                  configuration requirements.\n           which supports Momentum, is set to allow a user to\nIT-09-38\n           attempt to logon 6 times before the account is locked\n           out.\n\n\n\n\n                                                                            18\n                          Information Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                                                              Appendix C\n                           Department of Homeland Security\n \n\n                      Federal Law Enforcement Training Center \n\n                       Information Technology Management Letter\n                                  September 30, 2009\n\n\n\n\n                                   Appendix C \n\n\n Status of Prior Year Notices of Findings and Recommendations\n \n\n                       and Comparison to\n \n\nCurrent Year Notices of Findings and Recommendations at FLETC \n\n\n\n\n\n                                        19\n   Information Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                                                                                Appendix C\n                              Department of Homeland Security\n                         Federal Law Enforcement Training Center\n                          Information Technology Management Letter\n                                     September 30, 2009\n\n                                                                                             Disposition\nNFR No.                                   Description                                  Closed      Repeat\n\nFLETC-IT\xc2\xad   Momentum Configuration Management Needs Improvement\n                                                                                         X\n  08-01\nFLETC-IT\xc2\xad   Procurement Desktop Configuration Management Needs Improvement\n                                                                                         X\n  08-02\nFLETC-IT\xc2\xad   Installation of Momentum System Software is not Logged or Reviewed\n                                                                                                    09-03\n  08-03\nFLETC-IT\xc2\xad   The SDLC for Momentum is not Finalized\n                                                                                                    09-04\n  08-04\nFLETC-IT\xc2\xad   Momentum Backups are not Tested\n                                                                                         X\n  08-05\nFLETC-IT\xc2\xad   The Momentum Contingency Plan is not Completed\n                                                                                         X\n  08-06\nFLETC-IT\xc2\xad   Incidents are not Tracked in an Incident Response Management System\n                                                                                         X\n  08-07\nFLETC-IT\xc2\xad   Lack of Policies and Procedures over Incompatible Duties within\n                                                                                         X\n  08-08     Procurement Desktop\nFLETC-IT\xc2\xad   Telecom Room Access Controls Need Improvement\n                                                                                         X\n  08-09\nFLETC-IT\xc2\xad   Momentum and Procurement Desktop Access Controls Need Improvement\n                                                                                         X\n  08-10\nFLETC-IT\xc2\xad   IT Security Awareness Training is in Draft Form\n                                                                                         X\n  08-11\nFLETC-IT\xc2\xad   Policies and Procedures over Mobile Code Technologies are not\n                                                                                         X\n  08-12     Developed\nFLETC-IT\xc2\xad   Policies and Procedures for Review of Momentum Audit Logs are not\n                                                                                         X\n  08-13     Developed\nFLETC-IT\xc2\xad   Policies and Procedures for Restricting Access to Momentum System\n                                                                                         X\n  08-14     Software are not Developed\nFLETC-IT\xc2\xad   Policies and Procedures for Segregating Incompatible Duties in\n                                                                                         X\n  08-15     Momentum are not Developed\nFLETC-IT\xc2\xad   Policies and Procedures over VoIP Technologies are not Developed\n                                                                                         X\n  08-16\nFLETC-IT\xc2\xad   Background Investigations for Contractors are not Consistently Performed\n                                                                                         X\n  08-17\nFLETC-IT\xc2\xad   Procurement Desktop Audit Logs Need Improvement\n                                                                                         X\n  08-18\nFLETC-IT\xc2\xad   Access to FLETC LAN is not Effectively Controlled\n                                                                                         X\n  08-20\nFLETC-IT\xc2\xad   FLETC Manual 4300: IT System Security Program and Policy are not\n                                                                                         X\n  08-21     Finalized\nFLETC-IT\xc2\xad   Access Controls over Procurement Desktop are not Effective\n                                                                                         X\n  08-22\nFLETC-IT\xc2\xad   Lack of Procedures for Recertifying Procurement Desktop Users\n                                                                                         X\n  08-23\n\n\n                                                 20\n    Information Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                                                                               Appendix C\n                              Department of Homeland Security\n                         Federal Law Enforcement Training Center\n                          Information Technology Management Letter\n                                     September 30, 2009\n\n                                                                                            Disposition\nNFR No.                                   Description                                 Closed      Repeat\n\nFLETC-IT\xc2\xad   Momentum/Procurement Desktop Contingency Plan is not Maintained at\n                                                                                        X\n  08-24     the Alternate Processing Site\nFLETC-IT\xc2\xad   Policies and Procedures over Anti-Virus Software for Servers and System\n                                                                                        X\n  08-25     Maintenance are not Finalized\nFLETC-IT\xc2\xad   Configuration Management Weaknesses on the Procurement Desktop,\n                                                                                                   09-26\n  08-26     Momentum, and GSS\nFLETC-IT\xc2\xad   Patch Management Weaknesses on Procurement Desktop and GSS\n                                                                                        X\n  08-27\nFLETC-IT\xc2\xad   Procurement Desktop Backups are not Tested\n                                                                                        X\n  08-29\nFLETC-IT\xc2\xad   Momentum Users are Granted Inappropriate Super User Access\n                                                                                        X\n  08-30\nFLETC-IT\xc2\xad   Momentum Security Violation Events are not Reviewed\n                                                                                                   09-31\n  08-31\nFLETC-IT\xc2\xad   Momentum Segregation of Duties Controls are not Effective\n                                                                                        X\n  08-32\n\n\n\n\n                                                21\n    Information Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                                                                                                           Appendix D\n                             Department of Homeland Security \n\n                        Federal Law Enforcement Training Center \n\n                         Information Technology Management Letter\n                                    September 30, 2009\n\n\n                                                                                            Federal Law Enforcement Training Center\n                                                                                            V. S. Department of Homeland Security\n                                                                                            1131 Chapel Crossing Road\n                                                                                            Glynco, Georgia 31524\n\n\n                                                                 ..," ~::i~:.~~g:~~;t-",\n                                                                 ~                     ~    Homeland\n                                                                                            Security\n                                             March 29, 2010\n\n\n   MEMORANDUM FOR:               Frank Deffer\n                                 Assistant Inspector General\n                                 Information Technology Audits\n\n   FROM                          Sandy H.  pe~~\n                                 Assistant Di~ri\'ChiefInformation Officer\n                                 Chief Information Officer Directorate\n\n   SUBJECT:                      Response to Draft Audit Report - Information Technology\n                                 Management Letter for the FY2009 Federal Law Enforcement\n                                 Training Center (FLETC) Financial Statement Audit\n\n   The Federal Law Enforcement Training Center (FLETC) appreciates your efforts in assessing the\n   effectiveness of information technology (IT) general controls for FLETC\'s financial processing\n   environment and supporting IT infrastructure. As always, the FLETC welcomes your observations\n   and recommendations for ensuring a secure and compliant operational environment.\n\n   We have completed our review of the draft Office ofInspector General, Information Technology\n   Management Letter for the FY2009 Federal Law Enforcement Training Center Financial Statement\n   Audit and concur with the Notice of Findings and Recommendations (NFRs). The FLETC has\n   made progress by addressing many of its prior year\'s IT control weaknesses. However, it is\n   understood that additional corrective action is needed to address the remaining findings and the six\n   new IT recommendations which collectively represent a material weakness.\n\n   The FLETC continues to improve and enhance its financial and overall IT security controls in an\n   effort to resolve deficiencies identified in the report.\n\n   Point of contact for additional information or questions is the FLETC Chief Information Security\n   Officer, Jeffery W. Johnson, (912) 267-2136.\n\n   cc:   Alan Titus, FLETC Chief Financial Officer\n\n\n\n\n                                                                                           www.fletc.gov\n\n\n\n\n                                                 22\nInformation Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0c                                                                           Appendix E\n                        Department of Homeland Security\n \n\n                   Federal Law Enforcement Training Center \n\n                    Information Technology Management Letter\n                               September 30, 2009\n\n\n              Report Distribution\n\n              Department of Homeland Security\n\n              Secretary\n              Deputy Secretary\n              General Counsel\n              Chief of Staff\n              Deputy Chief of Staff\n              Executive Secretariat\n              Under Secretary, Management\n              Director, FLETC\n              DHS Chief Information Officer\n              DHS Chief Financial Officer\n              Chief Financial Officer, FLETC\n              Chief Information Officer, FLETC\n              DHS Chief Information Security Officer\n              Assistant Secretary, Policy\n              Assistant Secretary for Public Affairs\n              Assistant Secretary for Legislative Affairs\n              DHS GAO OIG Audit Liaison\n              Chief Information Officer, Audit Liaison\n              Audit Liaison, FLETC\n\n              Office of Management and Budget\n\n              Chief, Homeland Security Branch\n              DHS OIG Budget Examiner\n\n              Congress\n\n              Congressional Oversight and Appropriations Committees as Appropriate\n\n\n\n\n                                       23\nInformation Technology Management Letter for the FY 2009 FLETC Financial Statement Audit\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'